From c6c542c89e2faffd3c350995f78811badf4c063a Mon Sep 17 00:00:00 2001 From: pinkforest <36498018+pinkforest@users.noreply.github.com> Date: Sun, 17 Mar 2024 09:51:08 +1100 Subject: [PATCH 1/4] Add rustls builder integration tests --- tests/builder.rs | 84 ++++++++++++++++++++++++++++++ tests/fake_cert_client_verifier.rs | 74 ++++++++++++++++++++++++++ tests/fake_cert_server_resolver.rs | 16 ++++++ tests/fake_cert_server_verifier.rs | 62 ++++++++++++++++++++++ tests/fake_time.rs | 14 +++++ 5 files changed, 250 insertions(+) create mode 100644 tests/builder.rs create mode 100644 tests/fake_cert_client_verifier.rs create mode 100644 tests/fake_cert_server_resolver.rs create mode 100644 tests/fake_cert_server_verifier.rs create mode 100644 tests/fake_time.rs diff --git a/tests/builder.rs b/tests/builder.rs new file mode 100644 index 0000000..ec82926 --- /dev/null +++ b/tests/builder.rs @@ -0,0 +1,84 @@ +extern crate alloc; +use alloc::sync::Arc; + +use rustls::ClientConfig as RusTlsClientConfig; +use rustls::ServerConfig as RusTlsServerConfig; + +use rustls_rustcrypto::provider as rustcrypto_provider; + +mod fake_time; +use fake_time::FakeTime; + +mod fake_cert_server_verifier; +use fake_cert_server_verifier::FakeServerCertVerifier; + +mod fake_cert_client_verifier; +use fake_cert_client_verifier::FakeClientCertVerifier; + +mod fake_cert_server_resolver; +use fake_cert_server_resolver::FakeServerCertResolver; + +// Test integration between rustls and rustls in Client builder context +#[test] +fn integrate_client_builder_with_details_fake() { + let provider = rustcrypto_provider(); + let time_provider = FakeTime {}; + + let fake_server_cert_verifier = FakeServerCertVerifier {}; + + let builder_init = + RusTlsClientConfig::builder_with_details(Arc::new(provider), Arc::new(time_provider)); + + let builder_default_versions = builder_init + .with_safe_default_protocol_versions() + .expect("Default protocol versions error?"); + + let dangerous_verifier = builder_default_versions + .dangerous() + .with_custom_certificate_verifier(Arc::new(fake_server_cert_verifier)); + + // Out of scope + let rustls_client_config = dangerous_verifier.with_no_client_auth(); + + // RustCrypto is not fips + assert_eq!(rustls_client_config.fips(), false); +} + +use rustls::DistinguishedName; + +// Test integration between rustls and rustls in Server builder context +#[test] +fn integrate_server_builder_with_details_fake() { + let provider = rustcrypto_provider(); + let time_provider = FakeTime {}; + + let builder_init = + RusTlsServerConfig::builder_with_details(Arc::new(provider), Arc::new(time_provider)); + + let builder_default_versions = builder_init + .with_safe_default_protocol_versions() + .expect("Default protocol versions error?"); + + // A DistinguishedName is a Vec wrapped in internal types. + // DER or BER encoded Subject field from RFC 5280 for a single certificate. + // The Subject field is encoded as an RFC 5280 Name + //let b_wrap_in: &[u8] = b""; // TODO: should have constant somewhere + + let dummy_entry: &[u8] = b""; + + let client_dn = [DistinguishedName::in_sequence(dummy_entry)]; + + let client_cert_verifier = FakeClientCertVerifier { dn: client_dn }; + + let dangerous_verifier = + builder_default_versions.with_client_cert_verifier(Arc::new(client_cert_verifier)); + + let server_cert_resolver = FakeServerCertResolver {}; + + // Out of scope + let rustls_client_config = + dangerous_verifier.with_cert_resolver(Arc::new(server_cert_resolver)); + + // RustCrypto is not fips + assert_eq!(rustls_client_config.fips(), false); +} diff --git a/tests/fake_cert_client_verifier.rs b/tests/fake_cert_client_verifier.rs new file mode 100644 index 0000000..c10dfed --- /dev/null +++ b/tests/fake_cert_client_verifier.rs @@ -0,0 +1,74 @@ +extern crate alloc; +use alloc::vec::Vec; + +use rustls::DistinguishedName; +use rustls::Error; + +use rustls::SignatureScheme; + +use rustls::pki_types::CertificateDer; +use rustls::pki_types::UnixTime; +use rustls::DigitallySignedStruct; + +use rustls::client::danger::HandshakeSignatureValid; +use rustls::server::danger::ClientCertVerified; +use rustls::server::danger::ClientCertVerifier; + +#[derive(Debug)] +pub struct FakeClientCertVerifier { + pub dn: [DistinguishedName; 1], +} + +impl ClientCertVerifier for FakeClientCertVerifier { + fn root_hint_subjects(&self) -> &[DistinguishedName] { + &self.dn + } + fn verify_client_cert( + &self, + _end_entity: &CertificateDer<'_>, + _intermediates: &[CertificateDer<'_>], + _now: UnixTime, + ) -> Result { + Ok(ClientCertVerified::assertion()) + } + fn verify_tls12_signature( + &self, + _message: &[u8], + _cert: &CertificateDer<'_>, + _dss: &DigitallySignedStruct, + ) -> Result { + Ok(HandshakeSignatureValid::assertion()) + } + fn verify_tls13_signature( + &self, + _message: &[u8], + _cert: &CertificateDer<'_>, + _dss: &DigitallySignedStruct, + ) -> Result { + Ok(HandshakeSignatureValid::assertion()) + } + fn supported_verify_schemes(&self) -> Vec { + alloc::vec![ + SignatureScheme::RSA_PKCS1_SHA1, + SignatureScheme::ECDSA_SHA1_Legacy, + SignatureScheme::RSA_PKCS1_SHA256, + SignatureScheme::ECDSA_NISTP256_SHA256, + SignatureScheme::RSA_PKCS1_SHA384, + SignatureScheme::ECDSA_NISTP384_SHA384, + SignatureScheme::RSA_PKCS1_SHA512, + SignatureScheme::ECDSA_NISTP521_SHA512, + SignatureScheme::RSA_PSS_SHA256, + SignatureScheme::RSA_PSS_SHA384, + SignatureScheme::RSA_PSS_SHA512, + SignatureScheme::ED25519, + SignatureScheme::ED448, + //SignatureScheme::Unknown(u16), + ] + } + fn offer_client_auth(&self) -> bool { + true + } + fn client_auth_mandatory(&self) -> bool { + false + } +} diff --git a/tests/fake_cert_server_resolver.rs b/tests/fake_cert_server_resolver.rs new file mode 100644 index 0000000..69c2cb8 --- /dev/null +++ b/tests/fake_cert_server_resolver.rs @@ -0,0 +1,16 @@ +extern crate alloc; +use alloc::sync::Arc; + +use rustls::server::ClientHello; + +use rustls::server::ResolvesServerCert; +use rustls::sign::CertifiedKey; + +#[derive(Debug)] +pub struct FakeServerCertResolver; + +impl ResolvesServerCert for FakeServerCertResolver { + fn resolve(&self, _client_hello: ClientHello<'_>) -> Option> { + None + } +} diff --git a/tests/fake_cert_server_verifier.rs b/tests/fake_cert_server_verifier.rs new file mode 100644 index 0000000..dd88731 --- /dev/null +++ b/tests/fake_cert_server_verifier.rs @@ -0,0 +1,62 @@ +use rustls::client::danger::HandshakeSignatureValid; +use rustls::client::danger::ServerCertVerified; +use rustls::client::danger::ServerCertVerifier; +use rustls::pki_types::CertificateDer; +use rustls::pki_types::ServerName; +use rustls::pki_types::UnixTime; +use rustls::DigitallySignedStruct; +use rustls::Error; +use rustls::SignatureScheme; + +extern crate alloc; +use alloc::vec::Vec; + +#[derive(Debug)] +pub(crate) struct FakeServerCertVerifier; + +impl ServerCertVerifier for FakeServerCertVerifier { + fn verify_server_cert( + &self, + _end_entity: &CertificateDer<'_>, + _intermediates: &[CertificateDer<'_>], + _server_name: &ServerName<'_>, + _ocsp_response: &[u8], + _now: UnixTime, + ) -> Result { + Ok(ServerCertVerified::assertion()) + } + fn verify_tls12_signature( + &self, + _message: &[u8], + _cert: &CertificateDer<'_>, + _dss: &DigitallySignedStruct, + ) -> Result { + Ok(HandshakeSignatureValid::assertion()) + } + fn verify_tls13_signature( + &self, + _message: &[u8], + _cert: &CertificateDer<'_>, + _dss: &DigitallySignedStruct, + ) -> Result { + Ok(HandshakeSignatureValid::assertion()) + } + fn supported_verify_schemes(&self) -> Vec { + alloc::vec![ + SignatureScheme::RSA_PKCS1_SHA1, + SignatureScheme::ECDSA_SHA1_Legacy, + SignatureScheme::RSA_PKCS1_SHA256, + SignatureScheme::ECDSA_NISTP256_SHA256, + SignatureScheme::RSA_PKCS1_SHA384, + SignatureScheme::ECDSA_NISTP384_SHA384, + SignatureScheme::RSA_PKCS1_SHA512, + SignatureScheme::ECDSA_NISTP521_SHA512, + SignatureScheme::RSA_PSS_SHA256, + SignatureScheme::RSA_PSS_SHA384, + SignatureScheme::RSA_PSS_SHA512, + SignatureScheme::ED25519, + SignatureScheme::ED448, + //SignatureScheme::Unknown(u16), + ] + } +} diff --git a/tests/fake_time.rs b/tests/fake_time.rs new file mode 100644 index 0000000..6c32199 --- /dev/null +++ b/tests/fake_time.rs @@ -0,0 +1,14 @@ +use rustls::time_provider::TimeProvider; +//use core::time::Duration; +use rustls::pki_types::UnixTime; + +// Required for no_std +#[derive(Debug)] +pub(crate) struct FakeTime; + +// TODO: Figure how to handle time +impl TimeProvider for FakeTime { + fn current_time(&self) -> Option { + None + } +} From abbe3615f7a6504fd867825b3228eebb9ad60f8f Mon Sep 17 00:00:00 2001 From: "pinkforest(she/her)" <36498018+pinkforest@users.noreply.github.com> Date: Wed, 3 Apr 2024 08:03:33 +1100 Subject: [PATCH 2/4] Use std Arc not Alloc Co-authored-by: Tony Arcieri --- tests/builder.rs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/builder.rs b/tests/builder.rs index ec82926..3fade34 100644 --- a/tests/builder.rs +++ b/tests/builder.rs @@ -1,5 +1,4 @@ -extern crate alloc; -use alloc::sync::Arc; +use std::sync::Arc; use rustls::ClientConfig as RusTlsClientConfig; use rustls::ServerConfig as RusTlsServerConfig; From 4495b71bee3f0963891f60fc07ff8c91e4cd6923 Mon Sep 17 00:00:00 2001 From: pinkforest <36498018+pinkforest@users.noreply.github.com> Date: Wed, 3 Apr 2024 08:06:58 +1100 Subject: [PATCH 3/4] Use std not alloc --- tests/fake_cert_client_verifier.rs | 5 ++--- tests/fake_cert_server_resolver.rs | 3 +-- tests/fake_cert_server_verifier.rs | 5 ++--- 3 files changed, 5 insertions(+), 8 deletions(-) diff --git a/tests/fake_cert_client_verifier.rs b/tests/fake_cert_client_verifier.rs index c10dfed..73b7aca 100644 --- a/tests/fake_cert_client_verifier.rs +++ b/tests/fake_cert_client_verifier.rs @@ -1,5 +1,4 @@ -extern crate alloc; -use alloc::vec::Vec; +use std::vec::Vec; use rustls::DistinguishedName; use rustls::Error; @@ -48,7 +47,7 @@ impl ClientCertVerifier for FakeClientCertVerifier { Ok(HandshakeSignatureValid::assertion()) } fn supported_verify_schemes(&self) -> Vec { - alloc::vec![ + vec![ SignatureScheme::RSA_PKCS1_SHA1, SignatureScheme::ECDSA_SHA1_Legacy, SignatureScheme::RSA_PKCS1_SHA256, diff --git a/tests/fake_cert_server_resolver.rs b/tests/fake_cert_server_resolver.rs index 69c2cb8..7028c8b 100644 --- a/tests/fake_cert_server_resolver.rs +++ b/tests/fake_cert_server_resolver.rs @@ -1,5 +1,4 @@ -extern crate alloc; -use alloc::sync::Arc; +use std::sync::Arc; use rustls::server::ClientHello; diff --git a/tests/fake_cert_server_verifier.rs b/tests/fake_cert_server_verifier.rs index dd88731..8639540 100644 --- a/tests/fake_cert_server_verifier.rs +++ b/tests/fake_cert_server_verifier.rs @@ -8,8 +8,7 @@ use rustls::DigitallySignedStruct; use rustls::Error; use rustls::SignatureScheme; -extern crate alloc; -use alloc::vec::Vec; +use std::vec::Vec; #[derive(Debug)] pub(crate) struct FakeServerCertVerifier; @@ -42,7 +41,7 @@ impl ServerCertVerifier for FakeServerCertVerifier { Ok(HandshakeSignatureValid::assertion()) } fn supported_verify_schemes(&self) -> Vec { - alloc::vec![ + vec![ SignatureScheme::RSA_PKCS1_SHA1, SignatureScheme::ECDSA_SHA1_Legacy, SignatureScheme::RSA_PKCS1_SHA256, From 0be4ec1b198568065e51778f533e1ec055d7f55b Mon Sep 17 00:00:00 2001 From: pinkforest <36498018+pinkforest@users.noreply.github.com> Date: Wed, 3 Apr 2024 09:37:32 +1100 Subject: [PATCH 4/4] Coupleocleanups --- tests/fake_cert_client_verifier.rs | 2 -- tests/fake_cert_server_verifier.rs | 4 +--- tests/fake_time.rs | 7 ++----- 3 files changed, 3 insertions(+), 10 deletions(-) diff --git a/tests/fake_cert_client_verifier.rs b/tests/fake_cert_client_verifier.rs index 73b7aca..a8dc9cc 100644 --- a/tests/fake_cert_client_verifier.rs +++ b/tests/fake_cert_client_verifier.rs @@ -1,5 +1,3 @@ -use std::vec::Vec; - use rustls::DistinguishedName; use rustls::Error; diff --git a/tests/fake_cert_server_verifier.rs b/tests/fake_cert_server_verifier.rs index 8639540..2786058 100644 --- a/tests/fake_cert_server_verifier.rs +++ b/tests/fake_cert_server_verifier.rs @@ -8,10 +8,8 @@ use rustls::DigitallySignedStruct; use rustls::Error; use rustls::SignatureScheme; -use std::vec::Vec; - #[derive(Debug)] -pub(crate) struct FakeServerCertVerifier; +pub struct FakeServerCertVerifier; impl ServerCertVerifier for FakeServerCertVerifier { fn verify_server_cert( diff --git a/tests/fake_time.rs b/tests/fake_time.rs index 6c32199..83dc3fa 100644 --- a/tests/fake_time.rs +++ b/tests/fake_time.rs @@ -1,12 +1,9 @@ -use rustls::time_provider::TimeProvider; -//use core::time::Duration; use rustls::pki_types::UnixTime; +use rustls::time_provider::TimeProvider; -// Required for no_std #[derive(Debug)] -pub(crate) struct FakeTime; +pub struct FakeTime; -// TODO: Figure how to handle time impl TimeProvider for FakeTime { fn current_time(&self) -> Option { None